Technical Team/Proposals/2012-03-05/Inline signed SPDX files

Contents

Issue

Currently there is no way to be sure that an SPDX file has not been modified by a third party after it was produced. See also, issue 980.

Proposal

Modify the spec to state that allow SPDX producers may cryptographically sign SPDX files using the PGP clear text signature format. This format embeds a clear text version of the file to be signed inside of a text based wrapper which contains the cryptographic signature. SPDX consumers must accept signed SPDX files, but would not be required to authenticate any signatures. SPDX producers would have the option of signing SPDX files but would not be required to do so.

Command sign an SPDX file

$ gpg --clearsign sample.spdx

Advantages

Embedding the signature in the the SPDX file has several advantages. The combination of the data and its signature reduce the possibility that the two will be accidentally separated as the SPDX data is passed from person to person. Such a separation could happen if an SPDX signature file is simply forgotten, or it could happen very easily if the name of an SPDX file ever needs to be changed. Having that data together will also make tooling easier to build because finding the signature data will be less error prone. Embedding the signature prevents large classes of mistakes from occurring and as such removes the need to cope with them.

Compatibility

This proposal will produce files that are not backwards compatible. Specifically a signed filed will not be readable by SPDX-1.0 compliant consumers. However, files produced by SPDX-1.0 compliant tools will continue to be valid SPDX files and tools that support signing, as described above, will be able to consume SPDX-1.0 files with no changes.